diff options
Diffstat (limited to 'ratatoeskr')
-rw-r--r-- | ratatoeskr/backend.php | 14 | ||||
-rw-r--r-- | ratatoeskr/frontend.php | 32 | ||||
-rw-r--r-- | ratatoeskr/sys/Esc.php | 22 | ||||
-rw-r--r-- | ratatoeskr/sys/translation.php | 4 | ||||
-rw-r--r-- | ratatoeskr/sys/utils.php | 18 |
5 files changed, 59 insertions, 31 deletions
diff --git a/ratatoeskr/backend.php b/ratatoeskr/backend.php index c050922..df1ea5b 100644 --- a/ratatoeskr/backend.php +++ b/ratatoeskr/backend.php @@ -9,6 +9,8 @@ * See "ratatoeskr/licenses/ratatoeskr" for more information. */ +use r7r\cms\sys\Esc; + require_once(dirname(__FILE__) . "/sys/models.php"); require_once(dirname(__FILE__) . "/sys/pwhash.php"); require_once(dirname(__FILE__) . "/sys/textprocessors.php"); @@ -269,7 +271,7 @@ function build_backend_subactions() call_user_func($cb, $article); } $ste->vars["article_editurl"] = urlencode($article->urlname) . "/" . urlencode($editlang); - $ste->vars["success"] = htmlesc($translation["article_save_success"]); + $ste->vars["success"] = Esc::esc($translation["article_save_success"]); } catch (AlreadyExistsError $e) { $fail_reasons[] = $translation["article_name_already_in_use"]; } @@ -305,7 +307,7 @@ function build_backend_subactions() call_user_func($cb, $article); } $ste->vars["article_editurl"] = urlencode($article->urlname) . "/" . urlencode($editlang); - $ste->vars["success"] = htmlesc($translation["article_save_success"]); + $ste->vars["success"] = Esc::esc($translation["article_save_success"]); } catch (AlreadyExistsError $e) { $fail_reasons[] = $translation["article_name_already_in_use"]; } @@ -700,9 +702,9 @@ function build_backend_subactions() if ($imageaction == "markdown") { $ste->vars["embed_code"] = "![" . str_replace("]", "\\]", $_POST["img_alt"]) . "](%root%/images/" . str_replace(")", "\\)", urlencode($image->get_filename())) . ")"; } elseif ($imageaction == "html") { - $ste->vars["embed_code"] = "<img src=\"%root%/images/" . htmlesc(urlencode($image->get_filename())) . "\" alt=\"" . htmlesc($_POST["img_alt"]) . "\" />"; + $ste->vars["embed_code"] = "<img src=\"%root%/images/" . Esc::esc(urlencode($image->get_filename())) . "\" alt=\"" . Esc::esc($_POST["img_alt"]) . "\" />"; } elseif ($imageaction == "ste") { - $ste->vars["embed_code"] = "<img src=\"\$rel_path_to_root/images/" . htmlesc(urlencode($image->get_filename())) . "\" alt=\"" . htmlesc($_POST["img_alt"]) . "\" />"; + $ste->vars["embed_code"] = "<img src=\"\$rel_path_to_root/images/" . Esc::esc(urlencode($image->get_filename())) . "\" alt=\"" . Esc::esc($_POST["img_alt"]) . "\" />"; } } @@ -1617,7 +1619,7 @@ function build_backend_subactions() $ste->vars["success"] = $translation[$newstatus ? "plugins_activated" : "plugins_deactivated"]; if (!empty($api_incompat)) { - $ste->vars["error"] = htmlesc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["could_not_activate_plugin_api_incompat"])); + $ste->vars["error"] = Esc::esc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["could_not_activate_plugin_api_incompat"])); } } @@ -1679,7 +1681,7 @@ function build_backend_subactions() } if (!empty($api_incompat)) { - $ste->vars["notice"] = htmlesc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["plugins_incompat"])); + $ste->vars["notice"] = Esc::esc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["plugins_incompat"])); } echo $ste->exectemplate("/systemtemplates/pluginlist.html"); diff --git a/ratatoeskr/frontend.php b/ratatoeskr/frontend.php index 473ed8a..eb62378 100644 --- a/ratatoeskr/frontend.php +++ b/ratatoeskr/frontend.php @@ -9,6 +9,8 @@ * See "ratatoeskr/licenses/ratatoeskr" for more information. */ +use r7r\cms\sys\Esc; + require_once(dirname(__FILE__) . "/sys/utils.php"); require_once(dirname(__FILE__) . "/languages.php"); require_once(dirname(__FILE__) . "/sys/models.php"); @@ -110,8 +112,8 @@ function article_transform_ste($article, $lang) return [ "id" => $article->get_id(), "urlname" => $article->urlname, - "fullurl" => htmlesc("$rel_path_to_root/$lang/{$a_section->name}/{$article->urlname}"), - "title" => htmlesc($article->title[$lang]->text), + "fullurl" => Esc::esc("$rel_path_to_root/$lang/{$a_section->name}/{$article->urlname}"), + "title" => Esc::esc($article->title[$lang]->text), "text" => textprocessor_apply(str_replace("%root%", $rel_path_to_root, $article->text[$lang]->text), $article->text[$lang]->texttype), "excerpt" => textprocessor_apply(str_replace("%root%", $rel_path_to_root, $article->excerpt[$lang]->text), $article->excerpt[$lang]->texttype), "custom" => $article->custom, @@ -146,7 +148,7 @@ function comment_transform_ste($comment) return [ "id" => $comment->get_id(), "text" => $comment->create_html(), - "author" => htmlesc($comment->author_name), + "author" => Esc::esc($comment->author_name), "timestamp" => $comment->get_timestamp(), "__obj" => $comment ]; @@ -449,9 +451,9 @@ $ste->register_tag("comment_form", function ($ste, $params, $sub) { $previewbtn = $ste->evalbool(@$params["previewbtn"]) ? " <input type=\"submit\" name=\"preview_comment\" value=\"{$translation["comment_form_preview"]}\" />" : ""; if ($ste->evalbool(@$params["default"])) { - $form_body = "<p>{$translation["comment_form_name"]}: <input type=\"text\" name=\"author_name\" value=\"" . htmlesc(@$_POST["author_name"]) . "\" /></p> -<p>{$translation["comment_form_mail"]}: <input type=\"text\" name=\"author_mail\" value=\"" . htmlesc(@$_POST["author_mail"]) . "\" /></p> -<p>{$translation["comment_form_text"]}:<br /><textarea name=\"comment_text\" cols=\"50\" rows=\"10\">" . htmlesc(@$_POST["comment_text"]) . "</textarea></p> + $form_body = "<p>{$translation["comment_form_name"]}: <input type=\"text\" name=\"author_name\" value=\"" . Esc::esc(@$_POST["author_name"]) . "\" /></p> +<p>{$translation["comment_form_mail"]}: <input type=\"text\" name=\"author_mail\" value=\"" . Esc::esc(@$_POST["author_mail"]) . "\" /></p> +<p>{$translation["comment_form_text"]}:<br /><textarea name=\"comment_text\" cols=\"50\" rows=\"10\">" . Esc::esc(@$_POST["comment_text"]) . "</textarea></p> <p><input type=\"submit\" name=\"post_comment\" value=\"{$translation["comment_form_submit"]}\" />$previewbtn</p>"; } else { $ste->vars["current"]["oldcomment"] = [ @@ -501,7 +503,7 @@ $ste->register_tag("page_prev", function ($ste, $params, $sub) { parse_str(parse_url($_SERVER["REQUEST_URI"], PHP_URL_QUERY), $query); $query["page"] = $params["current"] - 1; $url = $_SERVER["REDIRECT_URL"] . "?" . http_build_query($query); - return "<a href=\"" . htmlesc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_prev"] : $sub($ste)) . "</a>"; + return "<a href=\"" . Esc::esc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_prev"] : $sub($ste)) . "</a>"; }); $ste->register_tag("page_next", function ($ste, $params, $sub) { @@ -520,7 +522,7 @@ $ste->register_tag("page_next", function ($ste, $params, $sub) { parse_str(parse_url($_SERVER["REQUEST_URI"], PHP_URL_QUERY), $query); $query["page"] = $params["current"] + 1; $url = $_SERVER["REDIRECT_URL"] . "?" . http_build_query($query); - return "<a href=\"" . htmlesc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_next"] : $sub($ste)) . "</a>"; + return "<a href=\"" . Esc::esc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_next"] : $sub($ste)) . "</a>"; }); /* @@ -571,8 +573,8 @@ $ste->register_tag("languages", function ($ste, $params, $sub) { foreach ($langs as $lang) { $ste->set_var_by_name($params["var"], [ "short" => $lang, - "fullname" => htmlesc($languages[$lang]["language"]), - "url" => htmlesc("$rel_path_to_root/$lang/" . implode("/", array_slice($ste->vars["current"]["url_fragments"], 1))) + "fullname" => Esc::esc($languages[$lang]["language"]), + "url" => Esc::esc("$rel_path_to_root/$lang/" . implode("/", array_slice($ste->vars["current"]["url_fragments"], 1))) ]); $output .= $sub($ste); } @@ -613,11 +615,11 @@ $ste->register_tag("styles_load", function ($ste, $params, $sub) { } } } - $output = "<style type=\"text/css\">\n" . htmlesc($output) . "</style>"; + $output = "<style type=\"text/css\">\n" . Esc::esc($output) . "</style>"; } else { $output = ""; foreach ($ste->vars["current"]["styles"] as $stylename) { - $output .= "<link rel=\"stylesheet\" type=\"text/css\" href=\"$rel_path_to_root/css.php?name=" . htmlesc($stylename) . "\" />\n"; + $output .= "<link rel=\"stylesheet\" type=\"text/css\" href=\"$rel_path_to_root/css.php?name=" . Esc::esc($stylename) . "\" />\n"; } } return $output; @@ -636,10 +638,10 @@ $ste->register_tag("styles_load", function ($ste, $params, $sub) { $ste->register_tag("title", function ($ste, $params, $sub) { $pagetitle = $sub($ste); if (isset($ste->vars["current"]["article"])) { - return "<title>" . htmlesc($ste->vars["current"]["article"]["title"]) . " – $pagetitle" . "</title>"; + return "<title>" . Esc::esc($ste->vars["current"]["article"]["title"]) . " – $pagetitle" . "</title>"; } if (isset($ste->vars["current"]["section"])) { - return "<title>" . htmlesc($ste->vars["current"]["section"]["title"]) . " – $pagetitle" . "</title>"; + return "<title>" . Esc::esc($ste->vars["current"]["section"]["title"]) . " – $pagetitle" . "</title>"; } return "<title>$pagetitle</title>"; }); @@ -811,7 +813,7 @@ function frontend_url_handler(&$data, $url_now, &$url_next) call_user_func($validator); } } catch (CommentRejected $e) { - $ste->vars["current"]["comment_fail"] = htmlesc($e->getMessage()); + $ste->vars["current"]["comment_fail"] = Esc::esc($e->getMessage()); $rejected = true; } if (!$rejected) { diff --git a/ratatoeskr/sys/Esc.php b/ratatoeskr/sys/Esc.php new file mode 100644 index 0000000..eaefc10 --- /dev/null +++ b/ratatoeskr/sys/Esc.php @@ -0,0 +1,22 @@ +<?php + + +namespace r7r\cms\sys; + +class Esc +{ + public const HTML = 1; + public const NL2BR = 2; + public const HTML_WITH_BR = self::HTML | self::NL2BR; + + public static function esc(string $s, int $flags = self::HTML): string + { + if ($flags & self::HTML) { + $s = htmlspecialchars($s, ENT_QUOTES, "UTF-8"); + } + if ($flags & self::NL2BR) { + $s = nl2br($s); + } + return $s; + } +} diff --git a/ratatoeskr/sys/translation.php b/ratatoeskr/sys/translation.php index fd494c1..0679ca7 100644 --- a/ratatoeskr/sys/translation.php +++ b/ratatoeskr/sys/translation.php @@ -9,6 +9,8 @@ * See "ratatoeskr/licenses/ratatoeskr" for more information. */ +use r7r\cms\sys\Esc; + require_once(dirname(__FILE__) . "/utils.php"); require_once(dirname(__FILE__) . "/init_ste.php"); @@ -28,7 +30,7 @@ if (!defined("TRANSLATION_PLUGIN_LOADED")) { return ""; } $rv = $translation[$params["for"]]; - return (!empty($params["raw"])) ? $rv : htmlesc($rv); + return (!empty($params["raw"])) ? $rv : Esc::esc($rv); } ); define("TRANSLATION_PLUGIN_LOADED", true); diff --git a/ratatoeskr/sys/utils.php b/ratatoeskr/sys/utils.php index a285bcd..8a848eb 100644 --- a/ratatoeskr/sys/utils.php +++ b/ratatoeskr/sys/utils.php @@ -22,6 +22,9 @@ * * An array with $val $n-times repeated. */ + +use r7r\cms\sys\Esc; + function array_repeat($val, $n) { $rv = []; @@ -40,19 +43,16 @@ function intcmp($a, $b) return ($a == $b) ? 0 : (($a < $b) ? -1 : 1); } -/* - * Function: htmlesc +/** * Escape HTML (shorter than htmlspecialchars) * - * Parameters: - * $text - Input text. - * - * Returns: - * HTML + * @param mixed $text Input text + * @return string HTML + * @deprecated Use {@see Esc::esc()} instead. */ -function htmlesc($text) +function htmlesc($text): string { - return htmlspecialchars($text, ENT_QUOTES, "UTF-8"); + return Esc::esc($text); } /* |